Bug 220781

Summary:

[Flatpak SDK] Flatpak 1.10 environment variable issues

Product:

WebKit

Reporter:

Lauro Moura <lmoura>

Component:

Tools / Tests

Assignee:

Philippe Normand <pnormand>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

aperez, pnormand, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=221068
https://bugs.webkit.org/show_bug.cgi?id=221070
https://bugs.webkit.org/show_bug.cgi?id=221711

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	aperez: review+

Lauro Moura

Reported 2021-01-20 15:19:46 PST

Flatpak 1.10 changed how environment variables are passed to bwrap, making our current scripts fail. For example, WEBKIT_BUILD_DIR_BIND_MOUNT and the LC_* variables. These are two cases where webkit-bwrap (our python wrapper around bwrap) does not find them in the os.environ dictionary and fails to process. In the case of WEBKIT_BUILD_DIR_BIND_MOUNT, this is causing the bind-mount from `WebKitBuild/<PORT>/<CONFIG>` (host) to `/app/webkit/WebKitBuild/<CONFIG>` (sandbox) to not be enabled, leading to always building in the `WebKitBuild/<CONFIG>` dir. In the case of LC_*, this brought back the locale issue fixed by r263397. Bisecting flatpak, the commit https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486 (run: Convert all environment variables into bwrap arguments) is the first failure. Inspecting webkit-bwrap in a call to bash (Tools/Scripts/webkit-flatpak --verbose -c bash + some print's), webkit-bwrap is inkoved three times: * ldconfig, with a normal os.environ * flatpak-dbux-proxy, with the augmented os.environ with the extra info from webkit scripts * bash (actual command). Here things start to differ. Before the mentioned commit, the last invocation has the same environment as the second one, with all extra information. But after the commit, now just LC_CTYPE is forwarded to webkit-bwrap. Trying to use flatpak's `--env=....` did not expose the variable to bwrap, but only to the sandboxed process itself. Meanwhile, falling back to 1.6.5 (Focal's) seems to be working fine. But as the change comes from a security advisory, there's a chance the changes will be picked by distros in the LTS packages.

Attachments
Patch (4.53 KB, patch) 2021-01-22 01:36 PST, Philippe Normand	no flags	Details Formatted Diff Diff
Patch (8.05 KB, patch) 2021-01-26 04:56 PST, Philippe Normand	no flags	Details Formatted Diff Diff
Patch (8.53 KB, patch) 2021-01-26 10:18 PST, Philippe Normand	aperez: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Philippe Normand

Comment 1 2021-01-21 07:50:58 PST

I'm afraid we'll need to fix bug 213878 very soon indeed. They're backporting this CVE fix in older flatpak releases...

Philippe Normand

Comment 2 2021-01-22 01:36:49 PST

Created attachment 418118 [details] Patch

Adrian Perez

Comment 3 2021-01-25 00:44:16 PST

Comment on attachment 418118 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=418118&action=review > Tools/flatpak/flatpakutils.py:854 > + if envvar.startswith("LC"): It would be safer to list the local-related LC_* variable names only: if envvar in ("LC_CTYPE=", "LC_NUMERIC", "LC_TIME", "LC_COLLATE", "LC_MONETARY", "LC_MESSAGES", "LC_PAPER", "LC_NAME", "LC_ADDRESS", "LC_TELEPHONE", "LC_MEASUREMENT", "LC_IDENTIFICATION", "LC_ALL"): If the above feels like too much of a mouthful (though I think it's fine), at least I would make this check “.startswith("LC_")” — to make sure some other variable like “LCFOO” is not accidentally picked by the loop. Also: This check does not match the “LANG” variable, which can also be used to setup locale attributes. Is that on purpose, or maybe missing a check here?

Lauro Moura

Comment 4 2021-01-25 10:36:39 PST

(In reply to Adrian Perez from comment #3) > Comment on attachment 418118 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=418118&action=review > > > Tools/flatpak/flatpakutils.py:854 > > + if envvar.startswith("LC"): > > It would be safer to list the local-related LC_* variable names only: > > if envvar in ("LC_CTYPE=", "LC_NUMERIC", "LC_TIME", "LC_COLLATE", > "LC_MONETARY", "LC_MESSAGES", "LC_PAPER", "LC_NAME", > "LC_ADDRESS", "LC_TELEPHONE", "LC_MEASUREMENT", > "LC_IDENTIFICATION", "LC_ALL"): > > If the above feels like too much of a mouthful (though I think it's fine), > at least I would make this check “.startswith("LC_")” — to make sure some > other variable like “LCFOO” is not accidentally picked by the loop. > Indeed `.startswith("LC")` is too greedy. I'm fine with listing them explicitly. But one issue with this I just found was that `--unset-env` was added in flatpak 1.10 (as part of the overall CVE work that triggered this change). The patch as-is failed here with flatpak 1.6.5 from Ubuntu 20.04 LTS due to this. At the time I had tested it only with 1.10.0, sorry. This could lead to duplicate information (and risking the old "nothing is more permanent than a temporary fix"), but what if we end up cleaning up the LC_ vars both in flatpakutils.py (through unset-env is flatpak >=1.10) and webkit-bwrap (for older flatpak versions) while the proper solution in bug213878 is developed? > Also: This check does not match the “LANG” variable, which can also be > used to setup locale attributes. Is that on purpose, or maybe missing a > check here? Currently LANG is always overridden by webkit-bwrap to en_US.UTF-8, but LANGUAGE is also cleared and needs to be added to the list.

Philippe Normand

Comment 5 2021-01-25 10:43:45 PST

I'm not sure bug 213878 is the way forward anymore, because it would imply a rather large NIH, reinventing what both `flatpak run` and the whole instance concept already implemented there (`flatpak ps`, `flatpak enter ...`).

Philippe Normand

Comment 6 2021-01-26 04:56:06 PST

Created attachment 418395 [details] Patch

Philippe Normand

Comment 7 2021-01-26 05:40:37 PST

Comment on attachment 418395 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=418395&action=review > Tools/flatpak/flatpakutils.py:856 > + if self.flatpak_version >= (1, 10, 0): A version check is not necessarily right, would be better to check the existence of the option instead. I'll revisit this part.

Adrian Perez

Comment 8 2021-01-26 07:49:38 PST

Comment on attachment 418395 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=418395&action=review >> Tools/flatpak/flatpakutils.py:856 >> + if self.flatpak_version >= (1, 10, 0): > > A version check is not necessarily right, would be better to check the existence of the option instead. I'll revisit this part. A version check is quite likely safer and more robust than trying to parse the output of “flatpak --help” — I think it's okay to leave it like thi =)

Philippe Normand

Comment 9 2021-01-26 07:53:37 PST

I'm afraid this option will be added in older versions.

Philippe Normand

Comment 10 2021-01-26 10:18:54 PST

Created attachment 418438 [details] Patch

Lauro Moura

Comment 11 2021-01-26 12:38:14 PST

Comment on attachment 418438 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=418438&action=review Tested here and it's working fine. Just two minor comments. > Tools/flatpak/flatpakutils.py:176 > + return output.find(option) != -1 What about `return option in output`, as it does not need the index? > Tools/flatpak/flatpakutils.py:864 > + if self.flatpak_version >= (1, 10, 0) or self.flatpak_run_has_unsetenv_option: Does it need an explicit 1.10 check? Shouldn't `self.flatpak_has_unsetenv_option` always be true for it?

Philippe Normand

Comment 12 2021-01-27 01:03:50 PST

Comment on attachment 418395 [details] Patch I got confused thinking that new option was part of the CVE fix, but it's not the case. So it's simpler to land this version.

Philippe Normand

Comment 13 2021-01-27 01:06:40 PST

Committed r271938: <https://trac.webkit.org/changeset/271938>

Radar WebKit Bug Importer

Comment 14 2021-01-27 01:09:42 PST

<rdar://problem/73653233>

Note You need to log in before you can comment on or make changes to this bug.